commit 19f2d59184a68911d16120184619edca1ed4c09b
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Mar 28 18:31:25 2022 +0200
committer GitHub <noreply@github.com> Mon Mar 28 18:31:25 2022 +0200
tree 2ebd7df246d282d6d9e65e45bf9d89c976b0804d
parent ce514def843439c22f51db8794f74f8bb3c96b04
parent e7dad1f616f630b375a15f849e7f57aa317111be

Merge pull request #5660 from ronald-cron-arm/restore-full-compat-testing-2.28

Backport 2.28: Restore full compat testing

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1a63173..8d5e39f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2354,12 +2354,8 @@
     const mbedtls_ssl_ciphersuite_t *suite = NULL;
     const mbedtls_cipher_info_t *cipher = NULL;
 
-    if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
-        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
-    {
-        *olen = 0;
-        return;
-    }
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
 
     /*
      * RFC 7366: "If a server receives an encrypt-then-MAC request extension
@@ -2372,6 +2368,11 @@
         ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
         cipher->mode != MBEDTLS_MODE_CBC )
     {
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
+    }
+
+    if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
+    {
         *olen = 0;
         return;
     }

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index bd0eb10..c85291e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1361,7 +1361,7 @@
      * the structure field for the IV, which the PSA-based
      * implementation currently doesn't. */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
     {
         ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
                                         cipher_info, transform->taglen );
@@ -1404,7 +1404,7 @@
      * the structure field for the IV, which the PSA-based
      * implementation currently doesn't. */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
     {
         ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
                                         cipher_info, transform->taglen );

tests/compat.sh

diff --git a/tests/compat.sh b/tests/compat.sh
index 444c80c..42b9cdb 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -227,15 +227,6 @@
         G_CIPHERS=$( filter "$G_CIPHERS" )
     fi
 
-    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check what OpenSSL
-    # supports from the s_server help. (The s_client help isn't
-    # accurate as of 1.0.2g: it supports DTLS 1.2 but doesn't list it.
-    # But the s_server help seems to be accurate.)
-    if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$MODE "; then
-        M_CIPHERS=""
-        O_CIPHERS=""
-    fi
-
     # For GnuTLS client -> mbed TLS server,
     # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
     if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then
@@ -870,6 +861,7 @@
 
 setup_arguments()
 {
+    O_MODE=""
     G_MODE=""
     case "$MODE" in
         "ssl3")
@@ -882,6 +874,7 @@
             G_PRIO_MODE="+VERS-TLS1.1"
             ;;
         "tls12")
+            O_MODE="tls1_2"
             G_PRIO_MODE="+VERS-TLS1.2"
             ;;
         "dtls1")
@@ -889,6 +882,7 @@
             G_MODE="-u"
             ;;
         "dtls12")
+            O_MODE="dtls1_2"
             G_PRIO_MODE="+VERS-DTLS1.2"
             G_MODE="-u"
             ;;
@@ -905,7 +899,7 @@
     fi
 
     M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
-    O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE"
+    O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE"
     G_SERVER_ARGS="-p $PORT --http $G_MODE"
     G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
 
@@ -930,7 +924,7 @@
     fi
 
     M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
-    O_CLIENT_ARGS="-connect localhost:$PORT -$MODE"
+    O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
     G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
     G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
 
@@ -1329,6 +1323,15 @@
                         continue;
                     fi
 
+                    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
+                    # supports $O_MODE from the s_server help. (The s_client
+                    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
+                    # but doesn't list it. But the s_server help seems to be
+                    # accurate.)
+                    if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
+                        continue;
+                    fi
+
                     reset_ciphersuites
                     add_common_ciphersuites
                     add_openssl_ciphersuites